Home - Unknown

Overview

This, final, section of the documentation is the place for all
the unanswered questions. Some relate to Windows' use of NTFS
and some are very technical. Your help is needed to fill in
the blanks. Thanks.

Unanswered Questions

Why do some Metadata files on NTFS 3.0+ still have Security Descriptors?

On NTFS 3.0+, $Volume, $AttrDef, dot and $Boot have Security Descriptors.
Is this to save time at boot up?
Perhaps to reduce the number of files it has to parse?
Or is this the same as the previous question?

$STANDARD_INFORMATION: Max Versions, Version Number and Class Id?

Are any of the three fields used?

Is $UsnJrnl's $J Data Stream a fixed size?

Is it a fixed size? Does it wrap around like $LogFile?

What does $UsnJrnl's $Max Data Stream do?

There's a time stamp, two fields that might be flags and a field
that might be a length.

$MountMgrDatabase

What is the format of this stream?

MFT (FILE) Records

Will we only see MFT Extension records with inodes < 23?
Is the sequence number always equal to the inode number for
the Metadata?